Ollivier Robert wrote:
> Try this instead:
> http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/
Thanks for the assistance. That FreeBSD web site's UI sucks. Their "Get
diffs" button is broken and always returns nothing. To get a diff on a
file, one must click the "text" next to the revision number.
FreeBSD's backported patch seems insufficient and vulnerable. I come to
this conclusion because they only modified two files (sprintf.c and
string.c) -- but the Ruby changelog for this fix mentions other files
(e.g., array.c), and Zed Shaw identifies about a dozen files potentially
involved in the fix at
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html
So we still need to come up with either a backport for one of the
working versions of Ruby, or a fix to one of the currently released but
broken versions.
I've sent email to Stas, the FreeBSD maintainer of Ruby to warn them of
the potential security hole in their release and in hopes that they may
join this discussion.
-igal
--
Posted via http://www.ruby-forum.com/.